My petition got to over 10,000 signatures and so we have a response from the government.
As expected, the response basically contradicts itself. I am tempted to do another petition calling for the government to admit it does not understand what encryption means.
Encryption is important
The first part is good. It says "This Government recognises the importance of encryption, which helps keep people's personal data and intellectual property safe from theft by cyber means. It is fundamental to our everyday use of the internet..." it goes on to explain how important it is.
This is good - well done HMG, you understand it is important!
Indeed, the threat by "cyber means" is real, we see it every day in phishing emails and hacking attempts. It is way more of a threat than terrorists.
CPs already required to remove encryption
There is a bit that makes less sense: "There are already requirements in law for Communication Service
Providers in certain circumstances to remove encryption that they have
themselves applied from intercepted communications."
Now, this does at least finally confirm that when they say "protection" in the new bill, they are referring to "encryption".
But it makes no sense - why would you have an intercepted communication that is encrypted - surely you ask the CP to intercept at a point where it is not encrypted. If they are a party to the encryption (as is the case for GSM mobile phones which are encrypted on the air) then why not simply have the CP do the intercept at their end where not encrypted (as is the case in the normal telephone network).
So it is not clear what the use case for this legislation is?
The issue here is what happens when the CP is not a party to the encryption, but is somehow deemed to have "applied" it? This is where it gets more complex, and silly. For a start, any CP that has "applied" encryption which is in fact "end to end" can simply make the party that does the software for the encryption (the "app" on the phone) a separate legal entity that is not a CP, and bingo, that clause in the the law is simply meaningless. If the law passes and CPs get asked to remove end to end encryption that is a very simple side step to fix the issue.
There could, perhaps, be a scenario where there is an intercept at a broadband provider which captures https traffic, and the web site provider is somehow considered to be a communications provider and asked to remove the encryption. Again, better to intercept at the web site where the data is unencrypted, but in this scenario could the web site operator remove it? Well, no, encryption has moved on in the battle against criminals to make that impossible. The treat that a criminal could have intercepts and later get access to the keys was a real concern and systems have been designed to avoid that.
So the issue here is whether the requirement to remove protection when asked means that CPs have to take steps now so that later they will be able to comply? Such steps are exactly what the government has stated they do not intend "the Government does not require the provision of a back-door key or
support arbitrarily weakening the security of internet services".
So if people are not expected to weaken security of internet services, they are not required to make it so they can later remove encryption if asked?
No safe place for people to communicate
The bit that is really contradictory is "There shouldn’t be a guaranteed safe space for terrorists, criminals and paedophiles to operate beyond the reach of law."
They want it so that a warrant can be issued to "access the content of communications of terrorists and criminals in
order to resolve police investigations and prevent criminal acts". Well, that would only be possible if you banned encryption or "weakening the security of internet services". A contradiction!
Remember that encryption is possible with pen and paper!
Explain it as you would, to a child...
To keep us safe from criminals we need encrypted communications. If you have encrypted communications which is not weakened in some way then that means Alice can communication with Bob without Charlie being able to see that communications.
For this to work it needs to be MATHEMATICALLY IMPOSSIBLE (within any reasonable timescale) to get access to the communications as a third party.
This means that it does not matter that Charlie is a policeman with a warrant, and it does not matter how carefully controlled and restricted and monitored the issue of warrants is, it still remains MATHEMATICALLY IMPOSSIBLE for Charlie to get access to that communications.
Anything short of being MATHEMATICALLY IMPOSSIBLE is unacceptably weakened encryption and will not keep people safe. The government have stated they do not intend that. It would mean there was a vulnerability to criminals accessing the communications as well.
It also does not matter if Alice or Bob happen to be criminals or terrorists. Mathematics does not have special ways of working when a criminal is the one operating the calculator or computer.
They are clearly confused
The fact that the government claim to support encryption but still think that they can get access to communications (with a warrant) means they basically do not understand what encryption is. They should admit that and remove the requirement to "remove encryption" and perhaps even make it law that nobody should every be required to remove encryption.
P.S. Just to be clear
Some people think I have misunderstood their response. They are very clear that "The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can, subject to a warrant which can only be issued using a strict authorisation process where it is necessary and proportionate, access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."
This can only work if :-
(a) The terrorists choose not to use encryption in which case there is no real work involved.
(b) The use of such encryption is outlawed and that legislation is somehow effective and stops the terrorists using encryption even covertly. They say they are not intending that, and it would be stupid anyway.
(c) All encryption is weakened such that is does not provide the parties to the communication with absolute certainty that no third party can get access. If that happens it is not acceptable for privacy and security as such a third party could just as easily be a criminal than the police. Again they say they are not intending to do that.
I cannot see any other options - do say if I missed one, and as (b) and (c) are clearly stated as something the government do not intend, the only option is (a) terrorists choose not to use encryption. Well, if that is the case, none of this legislation is needed.